Use resource groups for fine-grained access control - Anycast Elastic IP Address

When you use Resource Groups to group and manage your resources, you can integrate with Resource Access Management (RAM) to isolate resources and implement fine-grained permission management within a single Alibaba Cloud account. This document describes how Anycast EIP supports Resource Groups and outlines the steps for resource group-level authorization.

Note

Resource group-level authorization takes effect only for supported resource types and actions that support resource group-level authorization.
For resource types that do not support Resource Groups, granting permissions for a specific Resource Group has no effect. Instead, you must grant permissions at the account level. For more information, see Actions that do not support resource group-level authorization.

How it works

You can use Resource Groups to organize and manage resources in your Alibaba Cloud account. For example, you can create a dedicated Resource Group for each project and transfer resources into their respective groups for centralized management. For more information, see What is a Resource Group?.

After you group your resources, you can grant permissions for a specific Resource Group to different RAM identities, such as RAM users, RAM user groups, or RAM roles. This restricts the RAM identity to managing resources only within that Resource Group. For more information, see Resource grouping and authorization.

This authorization method offers the following benefits:

Fine-grained permissions: Ensure each identity has the precise resource access permissions it needs, preventing resources from different projects from being managed together in the same account.
Scalability: When you add new resources, simply add them to the Resource Group. The RAM identity automatically gains the necessary permissions for the new resources without requiring additional authorization.

Grant resource group permissions to a RAM user

This section uses a RAM user as an example to demonstrate how to grant permissions on Anycast EIP resources within a specific Resource Group.

Step 1: Prerequisites

Create a RAM user. For more information, see Create a RAM user.
Create a Resource Group and transfer existing resources to the target Resource Group. For more information, see Create a Resource Group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

Step 2: Grant resource group-level permissions

You can grant resource group-level permissions by using either of the following methods.

Resource Management console

Use the permission management feature of a Resource Group to grant permissions to a specific RAM user. For detailed instructions, see Grant permissions scoped to a Resource Group to a RAM identity.

Log in to the Resource Management console.
On the Resource Groups page, find the target Resource Group and click Manage Permissions in the Actions column.
On the Manage Permissions tab, click Grant Permission.
In the Grant Permission panel, configure the principal and permission policy.
- Principal: Select an existing RAM user.
- Policy: Select a System Policy or a Custom Policy that you created. For more information, see Create a custom permission policy.
Click Confirm.

RAM console

Grant resource group-level permissions to a RAM user in the RAM console. For detailed instructions, see Manage RAM user permissions.

Log in to the RAM console as an Alibaba Cloud account (root user) or a RAM administrator.
In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the settings to add permissions to the RAM user.
- Resource Scope: Select Resource Group Level.
- Principal: Select an existing RAM user or the RAM user that you created.
- Policy: Select a System Policy or a Custom Policy that you created. For more information, see Create a custom permission policy.
Click Confirm.

Supported resource types

The following table lists the Anycast EIP resource types that support Resource Groups.

Cloud service	Service code	Resource type
Anycast EIP	eipanycast	anycasteipaddress: Anycast EIP address

Note

If you need support for a resource type that is not yet supported by Resource Groups, you can submit feedback in the Resource Management console.

Actions without resource group authorization

The following actions in Anycast EIP do not support resource group-level authorization:

Action

Description

For actions that do not support resource group-level authorization, selecting resource group-level as the resource scope has no effect. If a RAM user still needs these permissions, you must create a custom permission policy and select account-level as the resource scope during authorization.

The following are two examples of custom permission policies. You can modify the policy content as needed.

Allow all read-only actions that do not support resource group-level authorization: List all read-only actions that do not support resource group-level authorization in the Action element.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      ],
      "Resource": "*"
    }
  ]
}
```
Allow all actions that do not support resource group-level authorization: List all actions that do not support resource group-level authorization in the Action element.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
      ],
      "Resource": "*"
    }
  ]
}
```

Important

A RAM user or RAM role with account-level permissions can manage all resources in the account. Always grant permissions according to the principle of least privilege and verify that only the intended permissions are granted.

FAQ

Check a resource's resource group

Method 1: Click the resource name to go to its details page. The Resource Group of the resource is displayed on the page.
Method 2: Log in to the Resource Management console. In the left-side navigation pane, choose Resource Center > Resource Search. In the left-side pane, select the account to which the resource belongs (Current Account is selected by default). Use the filter conditions to find the target resource and view its Resource Group.

View product resources in a resource group

Method 1: Log in to the Resource Management console. In the left-side navigation pane, choose Resource Center > Resource Search. Under the account section in the left-side pane (Current Account is selected by default), click the name of the target Resource Group. Then, in the Select Resource Type section on the right, select the product to view all of its resources within that Resource Group.
Method 2: Log on to the Resource Management console, click Resource Group > Resource Group, find the target resource group, and click Manage Resources in the Actions column of its row. On the Manage Resources page, select the product from the Product drop-down list to view all resources of the product in the resource group.

Move multiple resources to another resource group

Log in to the Resource Management console. In the left-side navigation pane, choose Resource Groups > Resource Groups. Find the target Resource Group and click Manage Resources in the Actions column to go to the resource management page. Use the filter conditions to locate the target resources. Select the checkboxes in the first column for the resources you want to move, click Transfer Resources at the bottom, and then follow the on-screen instructions to complete the process.